CORS errors in V0 apps occur when client-side code calls external APIs that do not allow cross-origin requests from your domain. Fix this by routing external API calls through a Next.js API route that acts as a server-side proxy, avoiding the browser's CORS enforcement entirely. For APIs you control, add the appropriate Access-Control-Allow-Origin headers. Never attempt to disable CORS from the client side.
Why CORS errors happen in V0 apps
CORS (Cross-Origin Resource Sharing) is a browser security policy that blocks client-side JavaScript from making requests to a different domain unless that domain explicitly allows it. V0 generates fetch calls directly from React components — which run in the browser — to external APIs. If the external API does not return Access-Control-Allow-Origin headers permitting your V0 domain, the browser blocks the response. This problem is especially confusing because the same API call works perfectly in V0's Vercel Sandbox preview (which may proxy requests differently) but fails after deployment. The solution in Next.js is straightforward: move the fetch call to a server-side API route where CORS does not apply.
- V0 generates fetch calls to external APIs directly in client components where CORS applies
- External API does not include Access-Control-Allow-Origin header for your V0 deployment domain
- V0 preview sandbox may proxy requests differently than the production deployment
- Browser preflight OPTIONS request fails because the external API does not handle it
- API keys are passed in client-side headers, triggering CORS preflight for non-simple requests
Error messages you might see
Access to fetch at 'https://api.example.com/data' from origin 'https://your-app.vercel.app' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.The external API did not return the Access-Control-Allow-Origin header. The browser blocked the response even though the request was sent successfully. Route the call through a Next.js API route instead.
Access to fetch at 'https://api.example.com/data' from origin 'https://your-app.vercel.app' has been blocked by CORS policy: Response to preflight request doesn't pass access control check.The browser sent an OPTIONS preflight request (triggered by custom headers like Authorization), and the API did not respond with the required CORS headers. Use an API route proxy to avoid the preflight entirely.
TypeError: Failed to fetchThis generic error often masks a CORS failure. Check the browser console for CORS-related messages. The fetch fails silently from JavaScript's perspective because the browser blocks the response.
Access to XMLHttpRequest at 'https://api.example.com' from origin 'http://localhost:3000' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://production.vercel.app' that is not equal to the supplied origin.The API allows your production domain but not localhost. Add both origins to the API's allowed list, or use a Next.js API route proxy during development.
Before you start
- A V0 project that calls an external API from client-side code and receives CORS errors
- Access to the V0 editor or exported project code
- API keys stored in the V0 Vars panel (not hardcoded in client code)
How to fix it
Create a Next.js API route as a CORS proxy
Server-side code is not subject to CORS restrictions. By moving the external API call to a Next.js API route, the request goes from your server to the external API (server-to-server), bypassing the browser's CORS enforcement entirely. Your client code then calls your own API route, which is same-origin and CORS-free.
Create a Next.js API route as a CORS proxy
Server-side code is not subject to CORS restrictions. By moving the external API call to a Next.js API route, the request goes from your server to the external API (server-to-server), bypassing the browser's CORS enforcement entirely. Your client code then calls your own API route, which is same-origin and CORS-free.
Create a route handler in app/api/ that receives the request from your client, forwards it to the external API with any required headers or API keys, and returns the response. Store API keys in the Vars panel and access them via process.env.
// Client component — CORS error"use client"export default function WeatherWidget() { async function fetchWeather() { const res = await fetch( `https://api.openweathermap.org/data/2.5/weather?q=London&appid=YOUR_KEY` ) const data = await res.json() }}// app/api/weather/route.ts — Server-side proxyimport { NextResponse } from "next/server"export async function GET(request: Request) { const { searchParams } = new URL(request.url) const city = searchParams.get("city") || "London" const res = await fetch( `https://api.openweathermap.org/data/2.5/weather?q=${city}&appid=${process.env.WEATHER_API_KEY}` ) if (!res.ok) { return NextResponse.json( { error: "Failed to fetch weather" }, { status: res.status } ) } const data = await res.json() return NextResponse.json(data)}Expected result: The API route successfully calls the external weather API from the server side with no CORS restrictions. The API key stays on the server and is never exposed to the client.
Update client code to call your API route instead
Your client component now calls /api/weather on the same origin, which never triggers CORS. The API route handles the external call and returns the data.
Update client code to call your API route instead
Your client component now calls /api/weather on the same origin, which never triggers CORS. The API route handles the external call and returns the data.
Replace the direct external API URL in your client component's fetch call with the path to your new API route. Pass any parameters as query strings or request body.
const res = await fetch( `https://api.openweathermap.org/data/2.5/weather?q=${city}&appid=YOUR_KEY`)const res = await fetch(`/api/weather?city=${encodeURIComponent(city)}`)Expected result: The client fetch call succeeds without any CORS errors. The browser console shows no blocked requests. Data from the external API displays correctly.
Add CORS headers to your own API routes if needed
If other frontends or mobile apps need to call your V0 app's API routes, you need to add CORS headers to those routes. This is the reverse scenario — you control the API and need to allow specific origins.
Add CORS headers to your own API routes if needed
If other frontends or mobile apps need to call your V0 app's API routes, you need to add CORS headers to those routes. This is the reverse scenario — you control the API and need to allow specific origins.
Add Access-Control-Allow-Origin and related headers to your API route responses. For development, you can use a wildcard, but in production, specify exact allowed origins.
export async function GET() { const data = await getData() return NextResponse.json(data)}export async function GET() { const data = await getData() const response = NextResponse.json(data) response.headers.set("Access-Control-Allow-Origin", "https://your-other-app.vercel.app") response.headers.set("Access-Control-Allow-Methods", "GET, POST, OPTIONS") response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization") return response}export async function OPTIONS() { return new NextResponse(null, { status: 204, headers: { "Access-Control-Allow-Origin": "https://your-other-app.vercel.app", "Access-Control-Allow-Methods": "GET, POST, OPTIONS", "Access-Control-Allow-Headers": "Content-Type, Authorization", }, })}Expected result: Other frontends can successfully call your API routes without CORS errors. The OPTIONS preflight request returns the correct headers.
Use Next.js middleware for global CORS headers
If multiple API routes need the same CORS configuration, adding headers in middleware avoids duplicating the logic in every route handler.
Use Next.js middleware for global CORS headers
If multiple API routes need the same CORS configuration, adding headers in middleware avoids duplicating the logic in every route handler.
Add CORS headers in middleware.ts for all API routes matching a specific pattern. This applies the headers before the route handler runs.
1// middleware.ts2import { NextResponse } from "next/server"3import type { NextRequest } from "next/server"45const allowedOrigins = [6 "https://your-other-app.vercel.app",7 "http://localhost:3000",8]910export function middleware(request: NextRequest) {11 const origin = request.headers.get("origin") || ""12 const isAllowed = allowedOrigins.includes(origin)1314 if (request.method === "OPTIONS") {15 return new NextResponse(null, {16 status: 204,17 headers: {18 "Access-Control-Allow-Origin": isAllowed ? origin : "",19 "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",20 "Access-Control-Allow-Headers": "Content-Type, Authorization",21 "Access-Control-Max-Age": "86400",22 },23 })24 }2526 const response = NextResponse.next()27 if (isAllowed) {28 response.headers.set("Access-Control-Allow-Origin", origin)29 }30 return response31}3233export const config = {34 matcher: "/api/:path*",35}Expected result: All API routes automatically include the correct CORS headers. Preflight requests are handled globally without modifying individual route handlers.
Complete code example
1import { NextResponse } from "next/server"23const ALLOWED_APIS: Record<string, string> = {4 weather: "https://api.openweathermap.org/data/2.5",5 github: "https://api.github.com",6}78export async function GET(request: Request) {9 const { searchParams } = new URL(request.url)10 const service = searchParams.get("service")11 const path = searchParams.get("path")1213 if (!service || !path || !ALLOWED_APIS[service]) {14 return NextResponse.json(15 { error: "Invalid service or path" },16 { status: 400 }17 )18 }1920 const apiUrl = `${ALLOWED_APIS[service]}${path}`21 const apiKey = process.env[`${service.toUpperCase()}_API_KEY`]2223 try {24 const headers: Record<string, string> = {25 "Content-Type": "application/json",26 }27 if (apiKey) {28 headers["Authorization"] = `Bearer ${apiKey}`29 }3031 const response = await fetch(apiUrl, { headers })3233 if (!response.ok) {34 return NextResponse.json(35 { error: `API returned ${response.status}` },36 { status: response.status }37 )38 }3940 const data = await response.json()41 return NextResponse.json(data)42 } catch (error) {43 return NextResponse.json(44 { error: "Failed to reach external API" },45 { status: 502 }46 )47 }48}4950export async function POST(request: Request) {51 const { searchParams } = new URL(request.url)52 const service = searchParams.get("service")53 const path = searchParams.get("path")5455 if (!service || !path || !ALLOWED_APIS[service]) {56 return NextResponse.json(57 { error: "Invalid service or path" },58 { status: 400 }59 )60 }6162 const body = await request.json()63 const apiUrl = `${ALLOWED_APIS[service]}${path}`64 const apiKey = process.env[`${service.toUpperCase()}_API_KEY`]6566 const headers: Record<string, string> = {67 "Content-Type": "application/json",68 }69 if (apiKey) {70 headers["Authorization"] = `Bearer ${apiKey}`71 }7273 const response = await fetch(apiUrl, {74 method: "POST",75 headers,76 body: JSON.stringify(body),77 })7879 const data = await response.json()80 return NextResponse.json(data, { status: response.status })81}Best practices to prevent this
- Always route external API calls through Next.js API routes to avoid CORS entirely
- Never store API keys in client-side code — keep them in the V0 Vars panel and access via process.env in API routes
- Handle the OPTIONS preflight method explicitly when adding CORS headers to your own API routes
- Whitelist specific origins instead of using Access-Control-Allow-Origin: * in production
- Validate and sanitize the external API URL in your proxy route to prevent server-side request forgery (SSRF)
- Add error handling in your proxy route so external API failures return meaningful error messages to the client
- Use Access-Control-Max-Age to cache preflight responses and reduce redundant OPTIONS requests
- Test CORS behavior after deploying to Vercel, since V0 preview may handle requests differently
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
My V0 Next.js app gets CORS errors when calling an external weather API from a client component. Help me create a Next.js API route that acts as a proxy, moving the external API call to the server side. The API key should come from environment variables, not client code.
Frequently asked questions
Why do CORS errors only appear after deploying my V0 app?
V0's Vercel Sandbox preview may proxy requests differently than a production Vercel deployment. In production, client-side fetch calls go directly from the browser to the external API, where CORS restrictions apply. Always test with a Next.js API route proxy to avoid this discrepancy.
Can I disable CORS in the browser to fix these errors?
No. CORS is a browser security feature that cannot be disabled from your application code. Browser extensions that disable CORS only affect your machine and do not fix the issue for your users. The correct solution is to move external API calls to a server-side API route.
Why does my API call work in Postman but not in V0?
Postman is not a browser and does not enforce CORS. Browsers block cross-origin responses that lack the Access-Control-Allow-Origin header. The API call succeeds from any server-side context — use a Next.js API route to make the call from the server.
How do I pass API keys securely when proxying through an API route?
Store API keys in the V0 Vars panel. They become available as process.env.YOUR_KEY in API routes (server-side code). Never pass API keys from the client — the proxy route adds them on the server before forwarding the request.
What is a CORS preflight request?
A preflight is an OPTIONS request the browser sends before the actual request when custom headers (like Authorization) are included. If the server does not respond with the correct Access-Control-Allow-* headers, the browser cancels the real request. Handle this by adding an OPTIONS handler to your API route.
Can RapidDev set up a proper API proxy architecture for my V0 project?
Yes. For projects that integrate with multiple external APIs, RapidDev can design a centralized proxy layer with proper rate limiting, error handling, caching, and security validation to ensure all external calls work reliably in production.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your issue.
Book a free consultation